Re: [syslog-ng] pure-ftpd

From: Peter Czanik <czanik_at_nospam>
Date: Fri Sep 24 2010 - 14:17:19 GMT
To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu>

Hello,

On 09/24/2010 03:34 PM, Martin Holste wrote:
> My votes:
>
>
>> - many times there is just a question mark instead of the username.
>> Should it still be stored in a variable (useracct.username) or only for
>> the Logout lines, where it actually might get a useful value?
>>
> I would vote not to store the question mark since I think the ? is
> equivalent to NULL, which is what would get logically stored anyway.
>
>
>> - the "New connection" line has the same info (the IP address) twice.
>> How should it be handled?
>>
> I'm not seeing the IP twice in the examples you provided.
It was broken into two lines due to automatic line breaks, but the next
is a single log line, where the remote IP address (192.168.2.142)
appears twice:
Sep 24 13:52:42 linux-6y8u pure-ftpd: (?@192.168.2.142) [INFO] New
connection from 192.168.2.142

> If it is
> indeed there twice, I guess the question is what the tag name is for
> both. If you weren't planning on having a tag for one of the two
> occurrences, then I would say skip that one since it wouldn't make
> sense without a tag name.
>
As the address/fqdn is always the same here, belonging to the same
variable, useracct.device. So, storing it once is enough. Then the first
appearance could be discarded with at @QSTRING::@@)@ and the second one
stored with an @ANYSTRING:useracct.device@

>
>> - how should Anonymous login be handled?
>> @QSTRING:useracct.username: @
>> vs.
>> <value name="usracct.username">Anonymous</value>
>>
>>
> I think "Anonymous" should definitely get logged the same as any other
> user name, since you would want to see that on reports.
It would be stored both ways, I just would like to know, which is more
elegand, less resource hungry, etc.

> Another
> thought would be to maybe switch it to the IP address, but I don't see
> how you would do that across log lines.
>
Well, that would require some session tracking, but even then we are out
of luck, as session information is missing from the logs.
Bye,

-- Peter Czanik (CzP) <czanik@balabit.hu> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/ ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html

This message: [ Message body ]
Next message: Matthew Hall: "Re: [syslog-ng] pdbtool patternize update and my syslog-ng 3.2 branch"
Previous message: Martin Holste: "Re: [syslog-ng] pure-ftpd"
In reply to: Martin Holste: "Re: [syslog-ng] pure-ftpd"
Next in thread: Balazs Scheidler: "Re: [syslog-ng] pure-ftpd"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]